> -----Original Message----- > From: Lamar Owen [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 26, 2002 10:50 AM > To: Bruce Momjian; Tom Lane > Cc: Sir Mordred The Traitor; [EMAIL PROTECTED] > Subject: Re: [HACKERS] @(#)Mordred Labs advisory 0x0007: > Remove DoS in PostgreSQL > > > On Monday 26 August 2002 12:59 pm, Bruce Momjian wrote: > > Tom Lane wrote: > > > It may indeed make sense to put a range check here, but > I'm getting > > > tired of hearing the words "dos attack" applied to > conditions that > > > cannot be exploited to cause any real problem. All you are > > > accomplishing is to spread FUD among people who aren't > sufficiently > > > familiar with the code to evaluate the seriousness of problems... > > > It isn't fun to have our code nit-picked apart, and Sir-* is > > over-hyping the vulnerability, but it is a valid concern. > The length > > should probably be clipped to a reasonable length and a > comment put in > > the code describing why. > > The pseudo-security-alert format used isn't terribly > palatable here, IMHO. On > BugTraq it might fly -- but not here.
An alarmist style when posting a serious error is a good idea. "Hey guys, I found a possible problem..." Does not seem to generate the needed level of excitement. DOS attacks means that business stops. I think that should generate a furrowed brow, to say the least. > A simple 'Hey guys, I > found a possible > problem when.....' without the big-sounding fluff would sit > better with me, > at least. The substance of the message is perhaps valuable > -- but the > wrapper distracts from the substance. As long as the needed data is included (here is how to reproduce the problem...) I don't see any problem. > And dealing with a real name would be nice, IMHO. Otherwise > we may end up > with 'SMtT' as the nickname -- Hmmm, 'SMitTy' perhaps? :-) > Reminds me of > 'Uncle George' who did quite a bit for the Alpha port and > then disappeared. If he wants to call himself 'Sir Modred' or 'Donald Duck' or 'Jack the Ripper' or whatever, I don't see how it matters. He is providing a valuable service by location of serious problems. These are the sort of thing that must be addressed. This is the *EXACT* sort of information that is needed to make PostgreSQL become as robust as Oracle, SQL*Server, DB/2, etc. Every free database engine project should be so lucky as to have a 'Sir Modred' IMO-YMMV. ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org
